Friday, May 15, 2009

JAAS -> AD Configuration

JAAS (Java Authentication and Authorization Service) is a framework can be used to plug authentication modules into a variety of products. Then you enter a jaas configuration to load the module and tell it how to contact an authentication server (or whatever the module implements).

AD (MS Active Directory) is it's usual challenging self. Most LDAP authentication modules assume there is anonymous browsing access. They browse to the user info, and then authenticate the user with a bind attempt. I don't understand why they work that way. If those two activities were reversed, the bind occurred first then the search, you would never need anonymous browse access.

In any case, by default, AD does not allow anonymous browse access, so unless you want to encode a special user name/password in your config files so the module log in to AD, browse to the user info, then bind again with the user info that is trying to authenticate.

It seems incredibly redundant to store a user name and password in config files so we can authenticate everyone, so lets try for a better solution.

Bind authentication:

EMSUserAuthentication { required

ldapsearch command line access to AD server

ldapsearch -x -h -b "OU=Users,OU=Vancouver,DC=Jokers,DC=com" -W

Weirdly, the DN for AD looks like an e-mail address. What can I say? I don't know why this works, but this works. AD does not (by default) allow anonymous browsing, so you must authenticate (-D and -W) to list the info AD is storing.

This command is really useful for troubleshooting AD problems when you are trying to configure an app to authenticate against an AD server and you are not exactly sure of the settings. This utility allows you to quickly test different settings until you find something working.